Weekly Threat Briefing: Oct 28 - Nov 1, 2024

Weekly Threat Briefing: Oct 28 - Nov 1, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Investigating a SharePoint Compromise

Bottom Line: Threat actors have been identified targeting a high-severity vulnerability in on-premise SharePoint servers. Organizations need to ensure that Internet-facing applications are regularly reviewed for vulnerabilities and are prioritized for patching.

On October 30th, a report was released by Rapid7's Incident Response team detailing a recent investigation into a significant network compromise originating from a vulnerability (CVE-2024-38094) in an on-premises SharePoint server. The attacker leveraged a Microsoft Exchange service account with domain admin privileges to move laterally across the network, ultimately compromising the entire domain. The analysis highlights the use of sophisticated tactics, including deploying unauthorized software, disabling defenses, tampering with logs, and persistence strategies, which allowed the attacker to remain undetected for two weeks.

The attacker initially exploited CVE-2024-38094, a known vulnerability in Microsoft SharePoint, which allowed remote code execution (RCE) and enabled the installation of a webshell, "ghostfile93.aspx," on the system. This backdoor access granted the attacker the ability to connect through an external IP and eventually obtain domain administrator access via a Microsoft Exchange service account.

Following the initial compromise, the attackers managed to maintain unauthorized access for two weeks. They bypassed defenses and disabled security tools to remain undetected. Additionally, they installed and leveraged multiple binaries and unauthorized antivirus software, which impaired security functions and increased their persistence on the compromised systems.

The investigation revealed several key Tactics, Techniques, and Procedures (TTPs) used by the attackers. Initially, the attackers disabled security tools by installing Houroung Antivirus, which conflicted with existing security solutions and impaired/weakened overall defenses. To establish lateral movement within the network, the attackers attempted to deploy Impacket scripts but faced initial blocking, which led to the installation of unauthorized software to bypass these defenses.

Following this, the attacker used the compromised service account to authenticate via Remote Desktop Protocol (RDP) and disabled Windows Defender Threat Detection (WDTD). Leveraging compromised domain administrator privileges, the attacker gained access to authentication logs and executed commands across the domain, including the deployment of Mimikatz to exfiltrate credentials.

Furthermore, to evade detection, the attacker used Mimikatz and other tools to clear logs and disable logging functions, effectively covering their tracks throughout the attack.

In response to the Rapid7 report, eSentire’s Threat Response Unit (TRU) is performing Indicator-based threat hunts and validating detection coverage. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to detect devices vulnerable to CVE-2024-38094. eSentire TRU is investigating the topic for additional details and detection opportunities.

Learn more in the full threat briefing here.


New Black Basta Social Engineering Technique

Bottom Line: The Black Basta ransomware group has incorporated new social engineering tactics to gain access to victim organizations, including the abuse of Microsoft teams, email bombing, and Remote Monitoring and Management tools. Organizations must strengthen their defenses against these multi-layered social engineering campaigns.

Researchers from ReliaQuest, have observed Black Basta ransomware being deployed via new social engineering tactics. Black Basta is a Ransomware-as-a-Service (RaaS) group first identified in April of 2022; the group has compromised more than 500 businesses and critical infrastructure organizations across North America, Europe, and Australia. Black Basta is known to employ the double extortion technique, where data is exfiltrated prior to ransomware deployment.

In recently observed incidents, Black Basta performs a technique known as “email bombing”, where the victims’ email accounts are registered with spam websites, leading to a high-volume of spam emails. After mass spam begins, threat actors add the victim to an external Microsoft Teams chat, where they pose as support, admin, or help-desk staff. Potential victims are then tricked into enabling either the QuickAssist or AnyDesk Remote Monitoring and Management (RMM) tools.

In some cases, threat actors sent victims QR codes, to direct them to additional malicious infrastructure; the exact purpose of the malicious QR codes has not been identified at this time. Once access is established via an RMM tool, the attackers go on to compromise Local Security Authority Subsystem Service (LSASS) and deploy Cobalt Strike beacon for lateral movement, before exfiltrating victim data and deploying the final ransomware payload. This set of tactics has been employed by Black Basta threat actors since early October 2024.

In response to the ReliaQuest report, eSentire has performed threat hunts across the client base for known Indicators of Compromise (IoCs). Both eSentire MDR for Network and Endpoint have a variety of rules in place to detect activity associated with Black Basta ransomware deployment. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to detect devices with vulnerabilities known to be targeted by Black Basta affiliates.

Email bombing is a technique that eSentire’s SOC has identified across multiple instances. This technique finds success, as users are already suspicious of malicious activity due to the increase in emails, making them more susceptible when contacted by a threat actor impersonating a helpdesk employee.

Threat actors employ RMM tools, such as QuickAssist or AnyDesk, as they are more likely to blend with standard network activity. Attackers can use these tools to take control of the victim’s device, leading to malicious actions such as data theft or the download of additional content. These tools are used legitimately across business, making them less likely to be quickly identified as malicious.

For more information on how threat actors are abusing RMM tools, watch the October eSentire TRU Intelligence Briefing.

Learn more in the full threat briefing here.


National Cyber Threat Assessment 2025-2026

Bottom Line: The Canadian Center for Cyber Security (CCCS) National Cyber Threat Assessment for 2025-2026 includes information on state adversaries, cybercrime, and threat landscape trends. The report highlights the continued impact of both Peoples Republic of China threat actors and ransomware on Canadian industries.

On October 30th, the Canadian Center for Cyber Security (CCCS) released its biannual National Cyber Threat Assessment. The 39-page report includes information on the expanding and complex group of threats facing both government and private organizations in Canada. According to CCCS, state-adversaries targeting Canada have become more aggressive in the past year; the report outlines activity from the Peoples Republic of China (PRC), Russia, Iran, North Korea, and India. China, Russia, and Iran are reported to be the “greatest strategic cyber threats to Canada”. PRC threat groups have been observed launching campaigns for espionage, intellectual property (IP) theft, malign influence, and transnational repression. PRC sponsored APTs are considered to be “second to none” and have compromised over 20 Canadian government networks in the past four years.

Russian APTs continue to target Canadian organizations due to Canada’s role in the North Atlantic Treaty Organization (NATO), support for Ukraine, and presence in the Arctic. In addition to groups like Midnight Blizzard, which are directly attributed to Russian intelligence organizations, there has been an increase in Pro-Russian non-state actors. These groups are believed to have loose ties to the Russian government and have targeted Canada in an attempt to sway foreign policy.

Iranian threat actors are reported to be expanding their disruptive cyber capabilities. CCCS has observed Iranian APTs using these capabilities to “coerce, harass, and repress” opponents of the regime.

Outside of state-sponsored threats, ransomware remains one of the most impactful and disruptive threats facing Canadian organizations. Based on CCCS’ dataset, there has been a 26% increase in ransomware attacks year-over-year since 2021. This trend has been enabled by the Ransomware-as-a-Service (RaaS) model, where access to a group’s ransomware is sold or leased to affiliate members. This has allowed less skilled groups to deploy sophisticated ransomware. The majority of ransomware actors targeting Canada are reported to operate out of the former Soviet Union.

CCCS has identified five key trends that will shape threats impacting Canada until 2026:

  • Trend 1: Artificial Intelligence (AI) technologies are amplifying cyber space threats
  • Trend 2: Cyber threat actor tradecraft is evolving to evade detection
  • Trend 3: Geopolitically inspired non-state actors are creating unpredictability
  • Trend 4: Vendor concentration is increasing cyber vulnerability
  • Trend 5: Dual-use commercial services are in the digital crossfire

Government and private organizations in Canada face a growing threat of cyber activity from both state and financially motivated threat actors. To combat these threats, it is critical that organizations take a defence-in-depth approach to cybersecurity, which includes monitoring logs, endpoint, and network.

CCCS encourages awareness programs and the implementation of best security practices to minimize the impact of threats facing Canadian organizations. Long-term strategic security planning should consider the trends outlined by CCCS, to ensure protections are in place for tools and techniques that are expected to increase over time.

To respond to the ever-increasing threat landscape, including state-sponsored threats, financially motivated cybercriminals, and hacktivists, it is critical that governments and private organizations work in partnership, sharing information on threats and coordinating to enable their disruption.

Learn more in the full threat briefing here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics